05-26-2010 08:53 AM
I have 2 tunnels that work fine. I tried adding a third tunnel. When I go to test it in packet tracer I get a failure at the second vpn lookup which is encryption. When packet tracing the other two tunnels, they look identical except they don't fail. I did this in asdm. I then pulled the config and compared the new tunnel with the old ones, and they are all parallel, so this makes no sense.
05-26-2010 10:23 AM
Hi,
What's the failure with the third tunnel exactly? Phase 1, Phase 2?
Could you post the relevant part of the configs?
The problem could be related to routing or NAT perhaps or even VPN configuration.
Federico.
05-26-2010 12:00 PM
Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9
I created another tunnel 192.168.1.51 to 10.1.1.37 not working, peer 216.187.131.19
S* 0.0.0.0 0.0.0.0 [1/0] via 217.19.23.1, outside
C 192.168.0.0 255.255.254.0 is directly connected, inside-servers
access-list Outside-In extended permit ip host 192.168.1.50 host 10.1.1.37
access-list Outside-In extended permit ip host 192.168.1.51 host 10.1.1.37
access-list outside_nat0_outbound extended permit ip host 192.168.1.50 host 10.1.1.37
access-list outside_nat0_outbound extended permit ip host 192.168.1.51 host 10.1.1.37
access-list inside-servers_nat0_outbound extended permit ip host 192.168.1.50 host 10.1.1.37
access-list inside-servers_nat0_outbound extended permit ip host 192.168.1.51 host 10.1.1.37
access-list outside_cryptomap extended permit ip host 192.168.1.50 host 10.1.1.37
access-list outside_cryptomap_1 extended permit ip host 192.168.1.51 host 10.1.1.37
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 216.187.131.9
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set peer 216.187.131.19
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
tunnel-group 216.187.131.9 type ipsec-l2l
tunnel-group 216.187.131.9 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 216.187.131.19 type ipsec-l2l
tunnel-group 216.187.131.19 ipsec-attributes
pre-shared-key *
GOOD VPN:
packet-tracer input inside-servers icmp 192.168.1.50 0 0 10.1.1.37
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-servers_access_in in interface inside-servers
access-list inside-servers_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside-servers host 192.168.1.50 outside host 10.1.1.37
NAT exempt
translate_hits = 18817, untranslate_hits = 70143
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside-servers,inside-IT) 192.168.0.0 192.168.0.0 netmask 255.255.254.0
match ip inside-servers 192.168.0.0 255.255.254.0 inside-IT any
static translation to 192.168.0.0
translate_hits = 65266, untranslate_hits = 460676
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside-servers) 101 0.0.0.0 0.0.0.0
match ip inside-servers any outside any
dynamic translation to pool 101 (207.191.231.2 [Interface PAT])
translate_hits = 7092125, untranslate_hits = 76745
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 159410518, packet dispatched to next module
Result:
input-interface: inside-servers
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
BAD VPN:
packet-tracer input inside-servers icmp 192.168.1.51 0 0 10.1.1.37
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-servers_access_in in interface inside-servers
access-list inside-servers_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside-servers host 192.168.1.51 outside host 10.1.1.37
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside-servers,inside-IT) 192.168.0.0 192.168.0.0 netmask 255.255.254.0
match ip inside-servers 192.168.0.0 255.255.254.0 inside-IT any
static translation to 192.168.0.0
translate_hits = 64939, untranslate_hits = 459214
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside-servers) 101 0.0.0.0 0.0.0.0
match ip inside-servers any outside any
dynamic translation to pool 101 (207.191.231.2 [Interface PAT])
translate_hits = 7091904, untranslate_hits = 76744
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside-servers
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-26-2010 12:07 PM
Both tunnels go to the same peer IP 216.187.131.19
The only difference is the interesting traffic.
There's no need to create two tunnels (in fact it would not work)
What you need is to create a single tunnel to the peer 216.187.131.19 and have the crypto ACL
with both connections
So for instance only this tunnel:
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 216.187.131.9
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
access-list outside_cryptomap extended permit ip host 192.168.1.50 host 10.1.1.37
access-list outside_cryptomap extended permit ip host 192.168.1.51 host 10.1.1.37
And get rid of the configuration for the other tunnel.
Federico.
05-26-2010 12:14 PM
The peers are different one is 9 the other is 19:
Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9
I created another tunnel 192.168.1.51 to 10.1.1.37 not working, peer 216.187.131.19
05-26-2010 12:22 PM
Sorry, I missed that you're right the public IPs are different, so you need two tunnels.
My question now is... you're trying to access the same IP through the tunnel, why is that?
Is the same device that you're trying to access (via two different locations)?
It seems that's the problem, because you're attempting to send traffic to the same host through two different tunnels.
If the first tunnel is already established, the second tunnel won't encrypt traffic to the same host.
Federico.
05-26-2010 12:50 PM
It should work because I'm specifying interesting traffic from another server even if the endpoint is t
echnically the same IP, it is located at another location, so the two are mutually exclusive private IP's. But just for the sake of difference I changed it so they're different, but still same problem.
Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9
I created another tunnel 192.168.1.51 to 10.1.1.36 not working, peer 216.187.131.19
What now?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: